German Lander Commissioner legal analysis condemns SWIFT transfers to U.S.

25/08/2006

The Data Protection Commission for the German Lander of Schleswig-Holstein released its legal analysis of the SWIFT transfer of transactional data to the US Government. The analysis was released August 23, 2006 and is available for download on the commissioner's website at http://www.datenschutzzentrum.de/wirtschaft/swift/060825_swift.pdf. We have copied the english translation below.

The analysis concludes that the transfers violate German and European data protection law, and calls for the immediate cessation of the mirroring of European data in the U.S. data centre. That is, the analysis sees no reason why intra-EU transactions should be processed at the SWIFT data processing offices in the U.S. and therefore they do not believe that the SWIFT operations in Europe need to be held by the SWIFT offices in the U.S. through any form of mirroring. As such, the data on intra-European transfers should never be within the legal jurisdiction of the U.S. Government.

In this analysis, SWIFT is seen as a data processor for German banks, thus giving the Commission of Schleswig-Holstein jurisdiction over the case.

For intra-European transactions over the SWIFT network (between banks in EU member states), the Commission analysis concludes that the transfer of the data to the U.S. SWIFT data center has no legal basis, and in turn the hand-over of the data to the U.S. authorities is also illegal. The Commission doubts that the use of a contractual clause will assist in clearing up this situation.

From transfers between EU institutions to U.S. institutions (between banks in the EU member states and banks within the U.S.) the Commission's analysis finds that there is no legal basis because of the lack of data protection safeguards in the U.S. The analysis goes on to say that it is the responsibility of German banking institutions to show that the transfer of the data to the U.S. authorities was proportionate, but as no such proof was provided then the transfers are illegal.

Opinion delivered by ICPP on August 23rd, 2006

International wire transfer by Schleswig-Holstein banks using SWIFT

I. Result Summary:

The turn over of European citizens’ financial data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established in Belgium to United States authorities violates German and European data privacy law.

II. Statement of the Reasons

In international wire transfer the bank receiving an order is responsible for compliance with privacy protection regulations and confidential use of personal data on its way up to the transfer receiving company.

The commissioned banks as far as they have entrusted legally independent companies with data processing especially forwarding of records of wire transfer are responsible to ensure the level of data protection of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) in an unbroken chain all the way up to the data receiving financial institution.

Involving third parties that support the forwarding of client data for the purpose of routing a specific international wire transfer is a case of data processing on a commissioned basis under section 11 BDSG. The bank instructed to transfer money is responsible to provide an unbroken chain of written contracts with all financial institutions involved guarantying a constantly high level of protection as required by the provisions of the Federal Data Protection Act and the data concerned.

SWIFT acts as an agent or subcontractor of the data controller, the members of the SWIFT-group. At present, SWIFT does not give sufficient privacy protection guaranties that would justify handing over personal data to be processed by SWIFT. Particularly missing is a privacy protection measure comparable to the one provided in section 11 BDSG that ensures SWIFT to be bound to instructions and confidential use of entrusted bank customer’s data.

SWIFT maintains a database in the United States of America which includes data records of European citizens that do not have contractual relations to U.S. agencies or U.S. banks. The transfer of this data by SWIFT/Europe to SWIFT/U.S.A. still lacks proof of a supporting legal basis. Sole measures to ensure an adequate level of data protection in the U.S. are not sufficient.

The instructing banks also bear a joint responsibility for illegal transfers of personal data by SWIFT to the U.S. and illegal processing of these data in the U.S. because being the responsible mandator, they are obliged to ensure lawful processing in compliance with data protection law.

The turn over of all records or parts of SWIFT customer data by European banks to the U.S. treasury Department or U.S. intelligence services for the purpose to fight terrorism is illegal due to a missing legal basis for respective data transfers.

The protection of the right to individual self determination for international money transfers requires written proof or warranty concerning adherence to adequate data protection standards valid for all companies in the transfer chain.

III. Statement of the Reasons in Detail:

In this case, a distinction is made in respect of data privacy law

1. between data transfer of a company as an instructing institution to the data centres as well as from there
2. to the central giro institutions involved,
3. data transfer between the central giro institutions involved and SWIFT, as well as
4. data transfer between SWIFT and companies of the respective remittee established in third countries,
5. data transfer between SWIFT/Belgium and SWIFT/U.S.A., and
6. a turn over of entire database records by SWIFT/U.S.A. - according to current knowledge - on the basis of an administrative subpoena by the U.S. Treasury Department to the Central Intelligence Agency (CIA).

 

Add 1. and 2. Legal basis for data transfer between the financial institution receiving the customer order and the data centres and onwards to the central giro institutions

1. Facts of the case

In order to route international banking transactions on behalf of their clients, Schleswig-Holstein banks have commissioned mostly centralized institutions, the central giro institutions.

IT-wise the majority of Federal German branch banks are connected to and supported by data centres belonging to their own enterprise. Orders to conduct international transfers are usually received by the data centres first and are then forwarded to the respective central giro institution.

 

2. Valuation

aa. Applicability of Data Protection Law

Addressee of the regulations put down in the Federal Data Protection Act are pursuant to section 2 (4) BDSG private bodies meaning natural or legal persons, companies and other private-law associations. According to section 3 (7) BDSG any person or body collecting, processing or using personal data on his or its own behalf or commissioning others to do the same is to be classified a controller within the meaning of the law. The Federal Data Protection Act does not provide a group privilege. This fundamental decision was reaffirmed by the legislator when passing the amendment of the Federal Data Protection Act in 2001.

Pursuant to section 3 (4) no. 3 BDSG especially the transfer of personal data is defined as the disclosure to a third party by means of data processing either a) through transmission of the data to the third party or b) through the third party inspecting or retrieving data held ready for inspection or retrieval.

The personal data of the individual (the natural person) are exclusively under protection pursuant to section 1 (1) BDSG. Section 3 (1) BDSG defines personal data as any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject).

According to the Central Credit Committee (Zentraler Kreditausschuss, ZKA) most of the international wire transfers are commissioned by companies acting as legal persons yet, out of the up to 12 million SWIFT supported transfers there are millions of daily transactions caused by private individuals (natural persons). Moreover, companies are also protected by the data protection laws as long as identifiable individuals acting on behalf of the companies can be allocated and whose rights to privacy are affected.

Bank clients who order international wire transfers fill in a standardized form. On the basis of this form, the commissioned company prepares a respective international payment transaction notification for the purpose of transmission via the SWIFT network to the credit institution of the payee. The international payment transaction notifications are set up according to ISO-standards. They comprise among others personal data on the party ordering, the remitee, the amount, and the purpose of use. In a transfer order to a state outside the European Union the address of the person ordering is also included in the data record. The latter are transferred comparable to an email service via a so called Virtual Private Network operated by SWIFT.

 

bb. Legal Basis

The data transfer at hand needs to be legally justified under section 4 (1) BDSG or has to meet the requirements under section 11 BDSG respectively a cumulative – as far as it is a data transfer to a party not mentioned in section 4b (1) BDSG – justification in pursuance of sections 4b, 4c BDSG.

The collection of data is based on a contract between the financial institute commissioned with international money transfer and the customer as the principle of the order for the purpose of transfer of money to a person in a third country (order to transfer/agency contract). The involvement of data centres or central giro institutions for the performance of the orders is neither covered by the contract nor is the customer usually aware of such involvement. The routing of data takes place between two legally independent parties and requires a separate legal basis pursuant to section 4 (1) BDSG except, a privileged case under section 11 BDSG exists. The commissioned collection, processing or use of personal data in pursuance of section 11 BDSG serves to secure data privacy and data security standards imposed on the controller who chooses to process personal data not on his own premises. The objective is reached by imposing full responsibility of privacy protection on the principle whereas the body commissioned to fulfil the task only serves as an auxiliary body of the principle and is subject to instructions completely. Commissioned data collection, processing, or use is not identical with those business relations between two or more companies referred to as outsourcing. Also, for the classification of data forwarding as commissioned data processing under section 11 BDSG, it is not relevant what kind of civil contract is established between the contractual bodies. The most important criteria for the classification of a commission is the mere auxiliary function of the agent regarding data collection, processing, or use fulfilling the tasks and the business purpose of the controller.

The involvement of the central giro institutions serves - according to current knowledge - the mere function to collect and batch the handling of international payment transactions within the net of branch banks. They do not have the power of decision concerning method and manner of data processing. The baseline method is rather standardized to a large extent. The central giro institutions are used as an extension of the banks focussed solely on the functional execution of the order. Hence, it appears that regarding the relationship between the commissioned citizens’ respectively customers’ banks and the central giro institution no contrary views are taken. Consequently, they have to be classified as agents under section 11. Clues to detect a transfer of function are not to hand.

The legal basis pursuant to section 28 (1) BDSG, presented by ZKA in its statement from 10.08.2006 that lacks reference in substance concerning the involvement of central giro institutions in lawfully forwarding data up to the remitting financial institute, must fail because the customer cannot see from the underlying transfer order which route and which concrete bodies will get involved performing the international transfer. The underlying relationships between financial institutions for a specific international transaction are not revealed to the customer. Moreover, the underlying chains of transfer involving data centres, central giro institutions, but also occasionally special international payment transactions systems, correspondent credit institutes in third countries as well as on other terms involved financial institutes are unknown to the consumer and are not revealed within the actual transfer contract with the data subject. Bank clients who engage in international wire transfer are only concluding contractual relations with the specific financial institute they place their order with. Within this framework of valuta ratio it is only transparent to the customer that handling international payment transactions between themselves and the remittee, the remitting financial institute is engaged on the basis of a respective collection relationship between the remittee and the ordered (foreign) financial institution. For these reasons a classification of data forwarding according to sections 4, 28 (1) cl. 1 no. 1 BDSG is not applicable.

The absence of written contracts as required pursuant to section 11 (2) cl. 2. BDSG concerning the necessary privacy protection and data security measures for central giro institutions in their function as commissioners, results in an illegal data transfer to a third party due to the absence of an effective legal basis under section 11 BDSG.

 

Add. 3 Forwarding of Data between Central Giro Institutions and SWIFT

As has been stated under add. 1 and add. 2, data centres as well as central giro institutions act from the data protection point of view as commissioners of the companies (even though illegal as an effective contractual basis for data transfer under section 11 BDSG is wanting) having initially received orders for international wire transfers from their clients. As commissioners data centres as well as central giro institutions are strictly bound to instructions concerning the use of data entrusted to them for the performance of the order, cf. section 11 (3) cl. 1 BDSG (cf. on this Walz in Simitis, BDSG Commentary, 6th ed., section 11 BDSG, no. 56; Gola/Schomerus, 8th ed., section 11, no. 24).

The central giro institutions involved only perform the commissioned task received from the single banks to forward the incoming international transfer orders as a contractual partner of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to the latter. From the data protection point of view this again constitutes data transfer between legally independent companies that need legal justification. This is to be qualified on the grounds of the underlying sub-commission between banks and central giro institution and their total dependence on instructions as well as the standardization of the mass business processes as commissioned collection, processing, or use of personal data under section 11 BDSG. From this point of view SWIFT can be classified as a subcontractor of the commissioning European banks under Article 17 (2) and (3) of Directive 95/46/EC. Obviously SWIFT does also assume such a classification. Pursuant to item 4.5.3, subsection 4 of the General Terms and Conditions of the company from January 2005, it is pointed out that SWIFT is bound to instructions of their clients especially in forwarding personal data in messages and files and under recognition of the status as data processor according to EC-Directive 95/46. Also, motive 47 of the EC Directive states in cases of messaging a rule imposing privacy protection responsibility on the person from whom the message originates. The data processor is subject to European data protection law and its standards under Article 17 (2) of 95/46/EC.

There are no clues to assume functions to be assigned to SWIFT and therewith of own responsibility as a controller pursuant to BDSG. As stated afore, the commission to receive transfer data in a specific format and to forward them to a third party fulfils subordinate auxiliary functions for the ordering financial institutions’ account only. The business terms of the company point out this fact very clearly.

Also, the trans-boarder character within the EU (to Belgium or The Netherlands) constitutes no obstacle to classify the forwarding of data as processing by way of a data processor: this would only be the case if the service provider SWIFT could be classified as a third party in the sense of section 3 (4) no. 3 BDSG. If they were a third party, it would be classified a data transfer under the BDSG. In this case, the statutory prohibition subject to exceptions by permission pursuant to section 4 (1) BDSG would be applicable. However, according to section 3 (8) cl. 3 this does not include the data subject or persons and bodies commissioned to collect, process or use personal data in Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area. This privilege is restricted to recipients of personal data within the territory of the European Union or European Economic Area (EWR).

The written contract to be presented by the commissioning bank (see on this item 1 and 2) has to include specific stipulations concerning the admissibility of subcontracting – in this case SWIFT – so that data centres and central giro institutions are enabled to conclude a respective sub-commission concerning the further processing of the data entrusted upon them. Otherwise they would lack power to engage further bodies with data processing without the permission of the principle. There would be a risk that responsibility for legality of data processing “vanishes” respectively that the standard of data security verified by the principle and given in writing are undermined (cf. Simits-Walz, ibid. no. 52).

Subcontracting can only be allowed by the commissioning banks if the agent – in this case data centres and central giro institutions – ensure and if necessary also prove that they comply with their obligations and that the subcontractor observes privacy and data protection standards as stipulated (cf. Simitis, ibid. no 52). The principle stays responsible as a controller of data processing even in relation to the subcontractor. The agent placing the order with the subcontractor has to stipulate this by contract and has to ensure that the principle can actually execute the obligation to check on the subcontractor (cf. Gola/Schomerus, ibid, no 27). 

The fact that SWIFT seems to be the only service provider supporting specific methods to move money abroad has no relevance concerning its legal classification as data processor. Otherwise the level of privacy protection using third party services to be provided by financial institutions would be subject to market conditions. As far as the objection raises the impression a sufficient influence on the business terms of SWIFT is missing, this is clearly contradicting the legal construction of SWIFT that is operated according to its structure by the cooperative financial institutions themselves. Therefore, proof of unsuccessful attempts of German financial institutions in the coordinating committee of SWIFT expressing a demand of improvements according to the privacy protection law in force in SWIFT is missing.

Furthermore, it is necessary to contractually stipulate an obligation of the agent as well as of the subcontractor to notify the principle in cases of privacy and data security relevant obstructions of processing respectively contractually relevant incidents.

At present there are no agreements such as required under section 11 BDSG between the central giro institutions commissioned by single banks and their business partner Society for Worldwide Interbank Financial Telecommunication (SWIFT), classified a legal subcontractor from the point of data privacy law. Especially SWIFT General Terms and Conditions of January 2005 as well as their Data Retrieval Policy of May 26, 2006 do not include any terms that would implement the requirements concerning privacy and data security under section 11 BDSG. Explicit written stipulations are missing concerning a strict obligation to act only on instructions from the principle. On the contrary, the terms and conditions as well as the Retrieval Policy provide a contractual framework that raise reasonable doubts concerning the legal validity of the commission from the privacy point of view because of two reasons:

1. The General Terms and Conditions refer to further product related information and general terms that are not available. Especially sufficient information is missing stipulating the requirements under section 9 BDSG and under the Annex to section 9 BDSG. Without any further information it cannot be assumed that SWIFT/Europe transfers personal data in compliance with the law in force.
2. Having in view the international activities and presence of SWIFT and the connection between SWIFT/Europe and the Operating Centres of SWIFT/U.S.A. sufficient transparency concerning if and to what extend at which locations personal data of European respectively German citizens respectively bank clients are stored and processed is necessary. This is especially true for any legally independent service provider engaged by SWIFT who gains access to personal data from SWIFT’s databases. Only on this basis, the principles of the orders can decide whether and to what extent sufficient measures are taken by SWIFT concerning third country transfers under Article 25 and 26 of Directive 95/46 respectively sections 4b, 4c BDSG to ensure the legality of data processing. These safeguards affect the legality of data transfer concerning the adequate level of protection in third countries only.
3. Missing is the principles right to check on the technical and organisational measures taken at the locations in compliance with section 11 (2) cl. 3. BDSG. At present, such a right is obviously only granted to SWIFT in relation to its own clients, in this case the central giro institutions, according to item 4.5.5. subsection 2 of the Terms and Conditions.
4. Item 3.5.3 of the Terms and Conditions grants SWIFT the right to change services and products at any time if respective changes are required by any regulatory authority. This clause is not sufficiently specified. It is not clear whether the designated authorities are only to be national (Belgium) authorities or whether authorities from third countries are granted a similar status. Since respective orders from authorities can affect the technical and organisational protective measure concerning personal data processing, an explicit proviso of legality in compliance with the basic rights of EU-citizens is necessary.
5. Item 3.2 of the Data Retrieval Policy (Mandatory Requests) is not sufficiently determined. It also raises the question under item 4. concerning the specific authority nominated. On the other hand and having in mind any claims for turn over of personal data from insecure third countries, a contractual obligation to notify the directly affected clients/principles preliminary and without delay in order to perform and coordinate the turn over to the extend necessary. Having in mind illegal claims, an obligation to check the substantive law concerning claims for turn over of personal data should always be stipulated with the subcontractor including his right to reject such a claim until a legal investigation of the matter has taken place. In any case, the agent is obliged to resist obviously illegal claims and to agree with the principle upon a legal solution if necessary.
   
   This standard is necessary because for EU-citizens can rely on data transfers of customer data only taking place between companies established within the country (respectively within the EU) and foreign authorities on the basis of bilateral (e.g. treaties providing for mutual judicial assistance) or international treaties in individual cases.
6. The Data Retrieval Policy of May 26, 2006 explicitly referring to the legality to turn over data on the ground of a so called “bona fide subpoena or other lawful process by court or other competent authority” states that there are no preceding versions so far making a review of the lawfulness of the preceding period since 2001 impossible. As far as the term bona fide subpoena should include an administrative subpoena by the United States Treasury Department such as issued in the present case, objections also exist concerning due process as regards similar claims to turn over data in Germany. The latter can only be issued on the grounds of a valid individual court-approved warrant or subpoena (cf. hereinafter add. 6).

 

Add. 4. and 6. Data transfer between SWIFT and Remittees established in the United States (U.S. related transfer orders) respectively Operating Centres in the U.S.

The bank statements distinguish between data transfer into the U.S. on the grounds of U.S. related payment orders and data transfer without U.S. reference that only occur as complete data records are mirrored to the U.S. Operation Centre.

1. Forwarding of Data on occasion of U.S. related payment orders

Forwarding of data on occasion of a money transfer by SWIFT to a remittee established in the U.S. is always a data transfer from the point of privacy law irrespective of privileged data processing by way of a processor within the EU. This classification is according to the prevailing opinion, drawn from a reversed conclusion from section 3 (8) cl. 3 BDSG (likewise ZKA, Statement, p. 5, section 4).

According to the facts of the case, it is not sufficiently substantiated whether the performance of a U.S. related transaction always leads to a turn over of data to SWIFT/U.S.A. This forwarding of data would also be qualified as data transfer respectively disclosure to third parties under section 3 (8) cl. 3 BDSG. Yet, the foreign branch of the controller is not mentioned explicitly as a third party. Foreign branches in third countries are pursuant to the prevailing opinion qualified as third parties as well because the legislator did not want personal data of data subjects to be dismissed from the harmonized protection of Directive 95/46/EC without compliance to the legal requirements of data transfer (cf. Simitis-Dammann, ibid, section 3 no 247 and Simitis-Simitis, ibid, section 4b, no. 17 with further references).

Data transfer into the U.S. needs to be based on a sufficient BDSG legal basis pursuant to section 4 (1), 4b (2), cl. 1 which can be derived from the initial bank clients transfer order pursuant to section 28 (1) cl. 1, no. 1 BDSG. This is undoubtedly a valid legal basis in cases of direct data transfer between the customer bank and the U.S. bank of the remittee without any further transfers to SWIFT/U.S.A. in between. Insofar, only the initial payment order between the German-based principal and the remittee established in the U.S is performed. The German-based bank receiving the customer order initially remains data controller of the data transfer in the sense of section 3 (7) BDSG. With regard to this relationship the customer is aware of his order relevant data being transferred to the United States.

The requirements numerated in sections 4b, 4c BDSG as of the afforded level of protection in the recipient country must be stated. Forwarding personal data into the U.S. is, in pursuance with section 4b (2) cl. 1 BDSG, a transfer of personal data to other bodies abroad (third countries) for which an adequate level of data protection must generally exist in recipient country. The adequacy of the afforded level of protection is generally assessed under consideration of the circumstances enumerated in section 4b (3) BDSG. In the present case, this consideration may be left open because the exemption named in section 4c (1) no. 2 BDSG being subject to strict interpretation concerning transfer necessary for the performance of a contract between the data subject and the controller is applicable (cf. on transfer abroad as a typical example Simitis-Simitis, ibid, section 4c no. 13).

As far as the realisation of data transfer is necessarily relying on the services of service providers or branches within the U.S. proof of an adequate level of privacy and data protection performed by these enterprises is still missing (cf. on this hereinafter).

1. Forwarding of Data without U.S. Relation/Mirroring data records into the U.S.

The forwarding of German customer data by SWIFT/Europe to SWIFT/U.S.A. without a U.S. relation – e.g., transactions within Europe that are only transferred for security reasons to the Operation Centre U.S.A. – is subject of a two level admissibility check. This can be, as already stated above, a data transfer from the initially responsible and commissioned bank that only uses the SWIFT infrastructure as a tool.

In this case scenario, doubts already arise from the point of admissibility with regard to the legal basis from section 4, 28 BDSG. A legal justification in pursuance of section 28 (1) cl. 1, no. 1 BDSG fails due to the lack of specific and objective necessity of data transfer into the U.S. for the winding up of the contract (cf. the criteria Simitis-Simitis, section 28, ibid, no. 91, 92). The only purpose for the data transfer into the U.S. is as stated so far to serve the structure of data security as developed in SWIFT. This purpose does not serve the routing of a transfer order because the respective transfer goal can be achieved without it being forwarded to the U.S.. The mere fact of this security infrastructure opposed to legislative ratio does not justify another evaluation result. If and as far as concerning the necessity of data transfer respective related protective measures for the compliance with German protective standards would be implemented, data transfer even to SWIFT/U.S.A. could be admissible. For SWIFT/U.S.A. this would require protective measures similar to those in section 11 BDSG. Further, an adequate level of protection for SWIFT/U.S.A. according to the measures provided by European data protection law has to be created. Additionally, it seems possible that data transfer into the U.S. can be developed as a black-box procedure using encrypted data that can not be accessed by SWIFT/Europe without a respective binding instruction from the relevant cooperative head office respectively which cannot be turned over offhand.

At present, the data transfer concerning the requirement to provide an adequate level of protection in the recipient country is illegal: insofar, an adequate level of protection should at least be ensured in respect of the data processing taking place at the Operating Centre of SWIFT/U.S.A.. Since for the U.S. no binding statement with regards to the adequate level of protection pursuant to Article 31 (2) of the EU Data Protection Directive 95/46 exists and according to the current state of information, SWIFT did not accede to the Safe Harbour Principles (cf. on this Simitis-Simitis, ibid, section 4b, no. 70 ff.) and as to current knowledge an exceptional permission has not been issued by an authority under section 4c (2) BDSG, data protection guaranties as granted to EU citizens are missing regarding data transfers to SWIFT/U.S.A..

The standard contractual clauses of September 16, 2005 between SWIFT/Europe and SWIFT/U.S.A. as known to ICPP do not provide an adequate level of data protection in the recipient country. For according to Annex B of the contract, it involves a legitimization of data processing especially relation to SWIFT employees. This also follows from the chosen contractual master “controller to controller” based on the decision 2001/497/EC. Obviously, own standard contractual clauses legitimating the transfer of data from the European principle into the U.S. do not exist.

Any data transfers for data security purposes from SWIFT/Europe to SWIFT/U.S.A. on the grounds of the material and information at hand are to be assessed as illegal.

The explanations concerning the necessity to upkeep an active fall-back-system within the frame of a security concept of the company do not lead to a different judgement. On the one hand the explanations do not concern the so called first level check according to BDSG that is admissibility of data transfer. Insofar, a sound explanation referring to a sufficient legal basis is missing.

On the other hand the data security infrastructure does not directly belong to the transactions that are necessary regarding the execution of a transfer order within Europe for a data transfer under section 4c (1) no. 2 BDSG.

Over and above this, a statement explaining why and for which explicit purposes a) databases are necessary for the network infrastructure of SWIFT respectively what kind of indispensable tasks they perform and b) why it is essential to establish them in the U.S.. ICPP is not aware of any other comparable cases of fall-back-facilities that of all vitally need intercontinental data mirroring of the total data pool.

The contractual agreement between the German financial institutions and SWIFT, as referred to in the ZKA letter of August 10, 2006, does on no account singularly provide an adequate level of protection that would legalize the data transfers into the U.S. for the purpose of mirroring. Especially wanting on the first check level is a comparable level of protection in compliance with the requirements of section 11 BDSG. Moreover, in order to ascertain the adequateness of the level of protection it is necessary for instance to use the instruments provided by the EU-commission or to ask the respective competent authority for an exceptional permission.  

Basic concerns incidentally exist against contractual solutions also supported by standard contractual clauses if and to the extent to which the third country does not provide protection against governmental access to personal data in a way corresponding to the level of protection within the EU. Insofar the use of standard contractual clauses as a guaranty under section 4c (2) cl. 1 BDSG and Article 26 (2) Personal Data Protection Directive 95/46/EC and data transfer to third countries is disqualified (cf. Dammann-Simitis, Commentary EU Data Protection Directive, Art. 26, no. 16). At this point major concerns currently even exist in the U.S. regarding the regulations developed by the U.S. Treasury Department to turn over records of international wire transfers.

Turn over of data records by SWIFT to U.S. Authorities or the CIA

1. Facts of the Case
   
   According to the statement of ZKA of August 10, 2006 which is based on the statement of a spokesperson from the U.S. Treasury Department, only “a subset of its records” has been turned over on the basis of a so called administrative subpoena issued by the U.S. Treasury Department. It was alleged that the records were drawn entirely from a SWIFT/U.S.A. database on U.S. territory. In the ZKA statement it is emphasized under item I.5 that according to statements of the U.S. Treasury Department no data records from the server of the European Operating Centre have been turned over. Moreover, the ZKS statement refers to a framework agreement between SWIFT and the U.S. Treasury Department which is obviously available to SWIFT and its affected members and which from an unspecified date onwards – according to press records probably since 2003 – includes terms for data transfer to U.S. authorities.
   
   

   The facts of the case raise a number of further issues. As far as the ZKA refers to an unavailable framework agreement between SWIFT and the U.S. Treasury Department, it causes amazement. At least one of the affected members being a legally responsible contractor and responsible member of SWIFT should be allowed to receive or produce a copy of the said framework agreement. As long as this agreement is not presented and reliable facts concerning the date on which the agreement was concluded are not available, it cannot be taken into account for the further legal assessment. It is not understandable why an agent who enters into a secret agreement negotiates the conditions of turn over of sensible financial data entrusted to him by numerous clients and who is organised and lead as a cooperative, is not able to clarify the current and historical facts of the case and to produce the relevant documents.

   According to media records relating to the issue, especially an article published in the New York Times on June 23, 2006, the said agreement between SWIFT and the U.S. Treasury Department is only in effect since 2003. Before this date the U.S. Treasury Department is said to have had full access to the complete records of SWIFT. The so called administrative subpoenas have only been issued to give SWIFT a minimum of legal certainty for the turn over of records. Only in 2003, executives at SWIFT had legal concerns grown to an extend that made them ask for a further reduction concerning the transfer of data. The so called administrative subpoenas as a legal basis for the turn over of records are still highly disputed as reported in the N.Y.T. on June 23, 2006 as well as in the Los Angeles Times on June 24, 2006. According to these reports, law enforcement officials have relied on grand-jury subpoenas or court-approved warrants until 9/11. Ever since this incident administrative subpoenas became frequent. This account of the facts is still not refuted.

   Concerning the press reports on SWIFT, a secret Bush administration eavesdropping program also relying on broad administrative subpoenas of the U.S. President with reference to his war against terror is often mentioned. In this respect, it is to note that in the meantime and according to a press report on August 17 (Spiegel-Online, August 17, 2006) a circuit court in Detroit/Michigan/U.S.A. has revoked the actions of U.S. authorities because they did not seek court-approved warrants.

   The statement of ZKA in reference to a statement of a U.S. Treasury Department employee, according to whom data from the server of the European Operating Centre has not been turned over, is not understandable. His statement can neither be found in the cited statement of Mr. Levy, Under Secretary Terrorism and Financial Intelligence U.S. Department of the Treasury, before the House Financial Services Subcommittee on Oversight and Investigations nor can it be detected in other press reports. On the contrary, this assumption is contradictory to the ZKA statements (bottom of page 5) according to which payment orders of European citizens not related to the U.S. could be found in the U.S. Operating Centre due to the procedures of the SWIFT data security concept including full data mirroring. It has to be assumed that these data records on solely European transactions were subject to the examinations by U.S. authorities.

   The ZKA statement does not mention the fact that the data turned over by SWIFT did not concern transfer data about specific individually accused suspects but about a complete or partial turnover – eventually since 2003 – of all information available to SWIFT on transfer orders of their clients lasting for at least five years and has not been stopped ever since.

2. Valuation

   It has already been stated above that SWIFT is acting as an agent on behalf of the financial institutions (principal-agent relationship). As an agent SWIFT is strictly bound to instructions concerning personal data entrusted to her. The financial institution always stays responsible as a controller when forwarding or transferring such data to third parties. Insofar, the financial institutions established in Germany using the SWIFT network are responsible to check the general terms and conditions and data retrieval policy as regards contradictions and infringements of guarantied protective standards and to bring on the necessary adaptations.

   The turn over of inner European transfer orders, unnecessarily transferred to the U.S., to U.S authorities, lack a legal basis because the transfer of these data to SWIFT/U.S.A. without a sufficient legal basis constitutes an unlawful act. These data should not have been accessible to U.S. authorities on U.S. territory in the first place.

   There are also no sufficient measures taken, especially from the measures provided by the EU, to establish an adequate level of protection by SWIFT/U.S.A. Even if EU standard contract clauses would have been chosen basic concerns about the adequate level of protection would still prevail. As long as there is no protection against state access to personal data guaranteed that corresponds to the European level of protection, contractual clauses on the transfer of personal data to third countries are not sufficient as a guarantee pursuant to § 4c (2) cl. 1 BDSG and Art. 26 (2) of Directive 95/46/EC (cf. Dammann-Simitis, Commentary on the EU-Directive, Art. 26, no. 16). Insofar, significant concerns exist as regards the administrative subpoenas issued by the U.S. Treasury Department. The issue is also subject to disputes in the U.S.

   Even in case information on transfer orders with regard to the U.S. are claimed by U.S. authorities from SWIFT/Europe, the principle in Germany stays responsible to check the claim as long as the disposal of data is still under the authority of the agent. Because the agent SWIFT is acting across boarders and in an – from the data protection point of view – insecure third country, the agent has to prove that the data centres involved provide sufficient data protection measures. This could be achieved with regards to compliance with BDSG protection standards by changes in the Data Retrieval Policy of SWIFT as outlined in item 3. and 4.

   Pursuant to section 28 (3) no. 2, 28 (6) no. 3 BDSG such data transfer to public bodies is legitimate if no reason exists that outweighs the data subject’s interest in excluding turn over. The BDSG requires a decision that is subject to a weighing of reasons by the controller who has to make use of all available information to ensure that the requirements for the claim are met. The commissioned collection, processing or use of personal data requires that the principle ensures a respective obligation of the agent in writing (cf. on this proviso 5d on standard contractual clauses for commissioned data processing, Decision by the Commission 2002/16/EC).

   Single data records should have only been turned over after consulting the affected financial institutions. The – substantive - obligation to check the claim of the U.S. Treasury Department should have resulted in a rejection to comply with the claim concerning the scope of data and the duration of the measure being obviously unlawful.

   The violation of data protection law and the responsibility for the unlawful turn over of data by SWIFT also rests with the financial institutions in Schleswig-Holstein having accepted transfer orders from Schleswig-Holstein citizens. In terms of data privacy law they are responsible for the chain of companies involved to guarantee confidentiality of the data entrusted to them by their clients for a specific purpose.

   ---

   Related:
   Anti-Terrorism Policy Home Page
   Policy Laundering Home Page
   Europe's Privacy Commissioners rule against SWIFT
   Swiss Privacy Commissioner claims SWIFT and Swiss banks infringed privacy law
   Belgian Prime Minister condemns SWIFT data transfers to U.S. as 'illegal'
   An Open Letter to the CEO of SWIFT on other covert programmes for access to financial data
   European Parliament resolution on SWIFT builds on PI work
   PI and ACLU show that SWIFT auditor has extensive ties to US Government
   Pulling a Swift one? Bank transfer information sent to U.S. authorities
   Briefing on FATF and Financial Surveillance
   PI commences legal action to suspend unlawful activities of finance giant